For bug hunters in India, Apple has become a new honeypot


Apple has released the latest version of its operating system, iPhones from iOS 14, and iPads for iPad OS 14. It has drawn criticism for not giving developers enough time to submit their applications for review, and you can expect issues for some time. This is not great for end users – but for the fast-growing community of ethical hackers and security researchers from India, Apple will have issues like ringing a chime in money-making opportunities.

Global platform including Bugcrowd and HackerOne Indian researchers are also seeing a tremendous increase in bug reporting on their platforms. According to HackerOne, between January and July, 64,000 new hackers in India signed in 2019 compared to 29,000 in the same period. At this time, the number of bounties paid by companies also doubled, such as heavy payments by companies. Apple.

28-year-old Narendra Bhati moved to Ahmedabad in Gujarat from a small town called Shoganj in Rajasthan to pursue his dream and started his journey as an animator. However, after reading a blog post on Facebook about hacking, he decided to abandon the first installment paid for the animation course and headed to cyberspace.

Eventually, Bhati joined an institute to train students and corporate employees about ethical hacking – as well as learning about hacking and penetration testing on the web. He spent nights researching and reporting security flaws and teaching students the basics of white hat hacking during the day.

In 2016, Bhati was rewarded with her first prize from a Russian search engine Yandex To report a defect. The prize was $ 109 (about Rs 8,000).

The Rajasthani millennium has found around 500 bugs for various companies so far and includes many global companies. Facebook, Google, Linkedin, And Microsoft, among others. But in early June, it began trying on Apple products to find security issues in the company’s software and infrastructure.

According to a reported bug, on August 6, Apple rewarded Bhati with $ 16,000 (about Rs 12 lakh). This was the biggest reward ever. He made that news public via a tweet, although he did not reveal the extent of the blame as something other related that the vulnerability remains to be fixed.

“In comparison [some] Other companies, they are [the security team at Apple] Very transparent in providing updates to reporters, “Bhati, who is currently working as a lead painter (assistant manager) at Suma Soft, told Gadgets 360.” I had a very bad experience at some other shows where reporters needed to wait for weeks to get feedback. “

Cupertino Company Launched its Security bounty In December last year, the program offered all security researchers and prizes of $ 1 million (about Rs 7.36 crore) and more, which has attracted many security researchers – commonly known as bug bounty hunters in their community goes. Some have been paid with huge rewards, while others are Honored In the company’s hall of fame – a dedicated support page where the company credits people for reporting potential security issues to its web server.

Indian security researchers moving to Apple’s security bounty program gain even more momentum after Delhi-based mobile app developer Bhavuk Jain Won $ 100,000 (About 74 lakh rupees) to find a significant bug ‘Sign in with apple‘Facility.

Jain entered the world of cybercity three years ago, and saw a bug for the first time Yahoo That eventually made him a security researcher. Signing in with Apple took four hours to find the bug, which could allow hackers to gain access to linked user accounts. He reported Apple’s defect in mid-April, and after moving on from the company, he publicly disclosed the defect through a blog post on May 30.

Jain, 28, told Gadgets 360, “Apple is a highly security company.” Every software has bugs. “

Like Jain and Bhati, Armaan Pathan of Gandhinagar in Gujarat received a reward of $ 6,000 (approximately Rs. 7.5 lakh) on 1 August. He ventured into the ethical hacking industry in 2015 after learning his basic penetration skills from Bhati. His journey as a security researcher by participating in bug bounty programs available through platforms including Bugcrowd, HackerOne, and Synack. So far, more than 100 security vulnerabilities were found in companies, including the 25-year-old Dropbox, Facebook, Google and TwitterBefore focusing his attention on Apple, among others.

“I still remember that I started testing that application in December 2018,” he said. “I was not actively looking for issues there, but in late July, I found an issue and I reported it.”

Apple informed Pathan about the bug in a couple of days, though it took the company 15 to 20 days to fix the defect and send the reward.

Apart from Bhati, Jain and Pathan, there are many security researchers in India who have reported bugs to Apple, although they were not eligible to receive any reward.

Varun Gupta, 21, of Alwar, Rajasthan, is among the young Indian researchers who have been shown in Apple’s Hall of Fame for reporting security misconceptions in an Apple server.

“I have seen many researchers posting about the fame and rewards they are getting from Apple, so I tried it out as well,” said Gupta. Dehradun, Uttarakhand.

Along with Gupta, Hrithik Chadha has also been honored by Apple for disclosing an information on Apple’s subdomain. The bug was leaking internal system information and internal API calls being made by the system. While it was not affecting end users, it could help malicious attackers gain information about Apple’s internal network, said the 20-year-old, who is from Bulandshahr, Uttar Pradesh, and a Bachelor of Computer Applications program Students are Amity University, Noida.

“I was actively activating the Apple subdomains, looking for any vulnerabilities and, fortunately, I came to this endpoint,” he told Gadgets 360.

Big money, brand value as the leading causes of attraction
The listing on the Apple Security Bounty Program webpage shows that the company pays Bounty for a list of issues present in its products and services. It starts with a payment of $ 25,000 (about Rs 18.5 lakh) to find flaws. iCloud, Lock screen, and user-installed apps. However, the bounty payment goes up to $ 1 million – about Rs. 7.37 crores – for major issues.

“Apple is running an attractive program because its rewards are huge compared to other reward programs,” said Rohit Gautam, founder of hackitified cyber security, a Mumbai-based ethical hacking institute.

“Bug hunting involves a lot of effort,” said Himanshu Sharma, co-founder of the crowded Bugyali platform BugsBounty.com. “Imagine spending hours and paying $ 100 to find a critical vulnerability (about Rs 7,300.). It’s a demonetization for a lot of bug hunters and that’s why people lose interest in a program And some switch to different people. “

In addition to the huge rewards, Apple’s brand value is making it easier for the company to persuade Indian talent to find flaws in its system.

Vikash Chaudhary, founder of Pune-based cyber security consultancy and training firm HackerAra, told Gadgets 360 that brand value makes a big impact, especially in the case of freshers who are looking for a security researcher or ethical hacker at a reputable firm.

Ojus Bisaria, 20, a security researcher from New Delhi, said “hunting for these types of targets” requires strong knowledge, having just arrived in the area of ​​bug hunting three-four months ago.

New Delhi-based Deeksha Chhabra, who has reported more than 200 vulnerabilities, said bug hunters focused equally on all tech giants, whether it was Apple, Google, or Microsoft, but as recently as Apple Has provided higher pay to some people in the country, a change in focus.

Chhabra, 22, also reported some server-based critical and high vulnerabilities to Apple. However, she told Gadgets 360 that those were already reported by some other researchers.

India as a leading market for security researchers
With many youngsters engaging in ethical hacking as a career, India has become a big market for security researchers. These people are helping various global companies fix their security issues. At the same time, finding bugs and reporting them through the bug bounty program enables Indian security researchers to earn far more than they would get through a traditional job.

“[Some] The hackers really became millionaires just by bounty bugs, ”Sharma told BugsBounty.com. “This has certainly attracted a lot of security enthusiasts, especially college students from India.”

HackerOne said that India’s top ten hackers are earning up to 90 times the average salary of software engineers in the country.

“Hackers in India contributed 18 percent to vulnerability presentations in 2019 and have ranked among the top five highest-grossing countries in the last three years,” Hacker Tony’s community director Luke Tucker said in a statement to Gadgets 360, “Hackers in India promote hacking for good and reinforce that ethical hacking is becoming a viable career for many young professionals around the world.”

Like HackerOne, Bugcrowd also sees an increase in India’s ethical hackers. A recent report Released By Bugcrowd, which analyzes 3,493 survey responses with ethical hacking activity on the platform between May 1, 2019, and April 30, 2020, has cited the majority of researchers who collected live payments in India, followed by the US And Canada was ranked.

Lack of Indian bounty programs
There is a shortage of bug bounty programs in India, despite new security researchers joining the field and also having participants from small towns and rural areas. Various Indian companies prefer not to make any payments to researchers reporting flaws and weaknesses in their systems. In addition, there are some companies that do not refrain from responding to reports submitted by researchers.

“Many Indian companies try to save their money by not hosting bug bounty programs, which in turn go to attackers for ransomware-like attacks and pay 10 times more than they can pay in bug bounty.” . ” Gautam.

Shubham Gupta, who since March 2014 actively works with Bugcrowd and HackerOne as an assistant manager in the risk advisory department at Deloitte, reporting bugs, believes it is quite difficult as a full-time bug hunter is. India mainly due to lack of awards by local companies.

Many Indian startups nowadays give bug bounties for researchers to report their vulnerabilities and proactively fix. However, the researchers believe that the payments paid are quite low when comparing what they get from any international institution.

“A lot of companies don’t pay researchers a fair amount,” said Sharma of BugsBounty.com.

He said a reasonable reward amount would help motivate researchers to get more participation which would help secure infrastructure rather than focusing on global giants like Apple.

For now, a large number of researchers still prefer to go on the global stage because they provide them with wider reach and global exposure.


Is iPhone SE the last ‘affordable’ iPhone for India? We discussed it Of class, Our weekly technology podcast, which you can subscribe through Apple Podcast or RSS, Download episode, Or simply hit the play button below.

.

Latest news

Donald Trump congratulated PM Modi on his 70th birthday as “great leader, loyal friend”

Many joys to a great leader and loyal friend, Donald Trump tweeted (File)Washington: US President Donald Trump praised Prime Minister Narendra Modi on...

Donald Trump urges “patriotic” classes for schoolchildren

Donald Trump invoked "a pro-American curriculum that celebrates the truth." (File)Washington, United States: US President Donald Trump on Thursday urged "patriotic" teaching...

Global coronovirus cases exceeded 30 million

Brazil, the third largest country, accounts for about 15% of global affairs (file)Global coronovirus cases exceeded 30 million on Thursday, according to a...

Haryana Police arrested defense personnel for informing Pakistan

The arrested accused belong to Chandigarh (representative) of Rewari district.Chandigarh: The Haryana Police has arrested an employee of the Military Engineering Wing posted...

Related news

Donald Trump congratulated PM Modi on his 70th birthday as “great leader, loyal friend”

Many joys to a great leader and loyal friend, Donald Trump tweeted (File)Washington: US President Donald Trump praised Prime Minister Narendra Modi on...

Donald Trump urges “patriotic” classes for schoolchildren

Donald Trump invoked "a pro-American curriculum that celebrates the truth." (File)Washington, United States: US President Donald Trump on Thursday urged "patriotic" teaching...

Global coronovirus cases exceeded 30 million

Brazil, the third largest country, accounts for about 15% of global affairs (file)Global coronovirus cases exceeded 30 million on Thursday, according to a...

Haryana Police arrested defense personnel for informing Pakistan

The arrested accused belong to Chandigarh (representative) of Rewari district.Chandigarh: The Haryana Police has arrested an employee of the Military Engineering Wing posted...

LEAVE A REPLY

Please enter your comment!
Please enter your name here